package org.wso2.am.choreo.extensions.token.handler;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.grpc.StatusRuntimeException;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import net.minidev.json.JSONArray;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.am.choreo.extensions.token.handler.utils.ApplicationTokenUtils;
import org.wso2.am.choreo.extensions.token.handler.utils.ChoreoScopeIssuerUtils;
import org.wso2.am.choreo.extensions.token.handler.utils.GrpcClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.grant.token.exchange.utils.TokenExchangeUtils;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidationMessageContext;
import org.wso2.carbon.identity.oauth2.validators.scope.ScopeValidator;

/* loaded from: input_file:org/wso2/am/choreo/extensions/token/handler/ChoreoScopeIssuer.class */
public class ChoreoScopeIssuer implements ScopeValidator {
    private static final Log log = LogFactory.getLog(ChoreoScopeIssuer.class);

    public boolean validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return true;
    }

    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        ArrayList arrayList;
        logDebug("Validating scope with Choreo Scope Issuer");
        if (!ChoreoScopeIssuerUtils.isConfigsSet()) {
            logDebug("Choreo extension configuration is not set!");
            return true;
        }
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        String authenticatedSubjectIdentifier = oAuthTokenReqMessageContext.getAuthorizedUser().getAuthenticatedSubjectIdentifier();
        String[] scope = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope();
        if (scope.length == 0) {
            logDebug("Requested scope list is empty. Returning empty validated scope list");
            oAuthTokenReqMessageContext.setScope(new String[0]);
            return true;
        }
        if (authenticatedSubjectIdentifier != null && ChoreoScopeIssuerUtils.isClientIdMatching(clientId)) {
            try {
                if (ChoreoScopeIssuerUtils.isOrgHandleRequestParamPresent(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO())) {
                    logDebug("orgHandle request param is present. Hence issuing org based token.");
                    Optional<RequestParameter> orgHandleFromTokenRequest = ChoreoScopeIssuerUtils.getOrgHandleFromTokenRequest(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO());
                    if (!orgHandleFromTokenRequest.isPresent() || orgHandleFromTokenRequest.get().getValue().length == 0) {
                        log.error("orgHandle request param: orgHandleor value is not present in request");
                        throw new IdentityOAuth2Exception("orgHandle request param: orgHandleor value is not present in request");
                    }
                    String str = orgHandleFromTokenRequest.get().getValue()[0];
                    SignedJWT signedJWT = TokenExchangeUtils.getSignedJWT((String) ((Map) Arrays.stream(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters()).collect(Collectors.toMap((v0) -> {
                        return v0.getKey();
                    }, requestParameter -> {
                        return requestParameter.getValue()[0];
                    }))).get(TokenHandlerConstants.SUBJECT_TOKEN));
                    List<String> arrayList2 = new ArrayList();
                    if (signedJWT != null) {
                        arrayList2 = getELUserGroupsFromSignedSubjectJWT(signedJWT);
                    }
                    arrayList = arrayList2.size() > 0 ? new ArrayList(ChoreoScopeIssuerUtils.getScopesForGroupsInEnterpriseOrg(authenticatedSubjectIdentifier, str, scope, arrayList2)) : new ArrayList(ChoreoScopeIssuerUtils.getScopesForOrg(authenticatedSubjectIdentifier, str, scope));
                } else {
                    arrayList = new ArrayList(Arrays.asList(ChoreoScopeIssuerUtils.getScopes(authenticatedSubjectIdentifier, clientId, scope)));
                }
                int length = scope.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (scope[i].equals(ChoreoScopeIssuerUtils.OPENID_SCOPE)) {
                        arrayList.add(ChoreoScopeIssuerUtils.OPENID_SCOPE);
                        break;
                    }
                    i++;
                }
                logDebug("Requested scope list: " + String.join(", ", scope));
                logDebug("Generated choreo portal scope list: " + String.join(", ", arrayList));
                oAuthTokenReqMessageContext.setScope((String[]) arrayList.toArray(new String[arrayList.size()]));
                return true;
            } catch (StatusRuntimeException | GrpcClientException e) {
                log.error("Error while validating scopes", e);
                throw new IdentityOAuth2Exception("Error while validating scopes", e);
            }
        }
        if (authenticatedSubjectIdentifier == null) {
            return true;
        }
        try {
            SignedJWT signedJWT2 = TokenExchangeUtils.getSignedJWT((String) ((Map) Arrays.stream(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters()).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, requestParameter2 -> {
                return requestParameter2.getValue()[0];
            }))).get(TokenHandlerConstants.SUBJECT_TOKEN));
            if (signedJWT2 == null) {
                logDebug("Could not obtain subject_token from request.");
                return true;
            }
            ArrayList arrayList3 = new ArrayList();
            int length2 = scope.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length2) {
                    break;
                }
                if (scope[i2].equals(ChoreoScopeIssuerUtils.OPENID_SCOPE)) {
                    arrayList3.add(ChoreoScopeIssuerUtils.OPENID_SCOPE);
                    break;
                }
                i2++;
            }
            oAuthTokenReqMessageContext.addProperty(TokenHandlerConstants.SIGNED_JWT, signedJWT2);
            List<String> alreadyIssuedScopesListInJWT = getAlreadyIssuedScopesListInJWT(signedJWT2, Arrays.asList(scope));
            List<String> userGroupsFromSignedSubjectJWT = getUserGroupsFromSignedSubjectJWT(signedJWT2);
            if (userGroupsFromSignedSubjectJWT.size() == 0) {
                logDebug("User groups are not available in the JWT. Hence requested scopes will not be issued.");
                oAuthTokenReqMessageContext.setScope(getStringArrayFromList(alreadyIssuedScopesListInJWT));
                return true;
            }
            List<String> removeAlreadyIssuedScopesFromRequested = removeAlreadyIssuedScopesFromRequested(scope, alreadyIssuedScopesListInJWT);
            if (removeAlreadyIssuedScopesFromRequested.size() == 0) {
                logDebug("Requested scope list is empty. Hence no new scopes will be issued, except for already issued.");
                oAuthTokenReqMessageContext.setScope(getStringArrayFromList(alreadyIssuedScopesListInJWT));
                return true;
            }
            String orgUuidByConsumerKey = ApplicationTokenUtils.getOrgUuidByConsumerKey(clientId);
            if (orgUuidByConsumerKey == null) {
                logDebug(String.format("Organization not available for clientId : %s. Hence requested scopes will not be issued.", clientId));
                oAuthTokenReqMessageContext.setScope(getStringArrayFromList(alreadyIssuedScopesListInJWT));
                return true;
            }
            if (ChoreoScopeIssuerUtils.isAuthzServiceEnabled()) {
                arrayList3.addAll(ChoreoScopeIssuerUtils.getUserScopesForGroups(orgUuidByConsumerKey, userGroupsFromSignedSubjectJWT, removeAlreadyIssuedScopesFromRequested));
            }
            arrayList3.addAll(alreadyIssuedScopesListInJWT);
            oAuthTokenReqMessageContext.setScope(getStringArrayFromList(arrayList3));
            return true;
        } catch (StatusRuntimeException | GrpcClientException | IdentityOAuth2Exception e2) {
            String format = String.format("Error while validating requested scopes : [%s] for against groups", scope.toString());
            log.error(format, e2);
            throw new IdentityOAuth2Exception(format, e2);
        }
    }

    public boolean validateScope(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws IdentityOAuth2Exception {
        return true;
    }

    public String getName() {
        return "choreo scope issuer";
    }

    private List<String> getUserGroupsFromSignedSubjectJWT(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        JWTClaimsSet claimSet = TokenExchangeUtils.getClaimSet(signedJWT);
        ArrayList arrayList = new ArrayList();
        if (claimSet == null) {
            logDebug("Claim values are empty in the given JWT. Hence requested user groups be will empty.");
            return arrayList;
        }
        JSONArray jSONArray = (JSONArray) claimSet.getClaim(TokenHandlerConstants.TOKEN_CLAIM_GROUPS);
        if (jSONArray != null && jSONArray.size() > 0) {
            for (int i = 0; i < jSONArray.size(); i++) {
                arrayList.add(jSONArray.get(i).toString());
            }
        }
        return arrayList;
    }

    private List<String> getELUserGroupsFromSignedSubjectJWT(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        JWTClaimsSet claimSet = TokenExchangeUtils.getClaimSet(signedJWT);
        ArrayList arrayList = new ArrayList();
        if (claimSet == null) {
            logDebug("Claim values are empty in the given JWT. Hence requested user groups be will empty.");
            return arrayList;
        }
        JSONArray jSONArray = (JSONArray) claimSet.getClaim(TokenHandlerConstants.TOKEN_CLAIM_GROUPS);
        if (jSONArray != null && jSONArray.size() > 0) {
            for (int i = 0; i < jSONArray.size(); i++) {
                arrayList.add(jSONArray.get(i).toString());
            }
        }
        return arrayList;
    }

    private List<String> removeAlreadyIssuedScopesFromRequested(String[] strArr, List<String> list) {
        ArrayList arrayList = new ArrayList();
        if (strArr == null || strArr.length == 0) {
            logDebug("Requested scope list is empty. Cannot check against issued scopes and hence returning empty list.");
            return arrayList;
        }
        ArrayList arrayList2 = new ArrayList(Arrays.asList(strArr));
        if (list == null || list.size() <= 0) {
            logDebug("Already issued scope list is empty.");
        } else {
            arrayList2.removeAll(list);
        }
        return arrayList2;
    }

    private List<String> getAlreadyIssuedScopesListInJWT(SignedJWT signedJWT, List<String> list) throws IdentityOAuth2Exception {
        ArrayList arrayList = new ArrayList();
        JWTClaimsSet claimSet = TokenExchangeUtils.getClaimSet(signedJWT);
        if (claimSet != null) {
            try {
                String stringClaim = claimSet.getStringClaim(TokenHandlerConstants.TOKEN_CLAIM_SCOPE);
                if (stringClaim == null) {
                    logDebug("No scopes specified in the JWT claims. Hence cannot find issued scopes.");
                } else if (StringUtils.isNotBlank(stringClaim) && stringClaim.contains(TokenHandlerConstants.SCOPE_SEPARATOR)) {
                    for (String str : stringClaim.split(TokenHandlerConstants.SCOPE_SEPARATOR)) {
                        if (list.contains(str)) {
                            arrayList.add(str);
                        }
                    }
                } else {
                    logDebug("Scope is an empty string or misformatted. It should be a string containing a space-separated list");
                }
            } catch (ParseException e) {
                log.error("Error while parsing scope claim to string in subject_token. Error : " + e.toString());
            }
        } else {
            logDebug("Claim values are empty in the given JWT. Hence cannot find issued scopes.");
        }
        return arrayList;
    }

    private void logDebug(String str) {
        if (log.isDebugEnabled()) {
            log.debug(str);
        }
    }

    private String[] getStringArrayFromList(List<String> list) {
        if (list == null) {
            return new String[0];
        }
        HashSet hashSet = new HashSet(list);
        return (String[]) hashSet.toArray(new String[hashSet.size()]);
    }
}
